Add permissions patches

spec.bs

@@ -74,6 +74,8 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
         text: cross-origin isolation mode; url: bcg-cross-origin-isolation
       for: cross-origin isolation mode
         text: none; url:cross-origin-isolation-none
+    urlPrefix: document-lifecycle.html
+      text: create and initialize a Document object; url: initialise-the-document-object
     urlPrefix: browsing-the-web.html
       text: create navigation params by fetching; url: create-navigation-params-by-fetching
       text: document state; url: she-document-state
@@ -83,6 +85,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
       for: navigation params
         text: response; url: navigation-params-response
         text: navigable; url: navigation-params-navigable
+        text: origin; url: navigation-params-origin
       for: history handling behavior
         text: replace; url: hh-replace
       for: document state
@@ -109,6 +112,21 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
     urlPrefix: nav-history-apis.html
       for: Window
         text: navigable; url: window-navigable
+    urlPrefix: webappapis.html
+      for: environment
+        text: target browsing context; url: concept-environment-target-browsing-context
+    urlPrefix: document-sequences.html
+      for: browsing context
+        text: active document; url: active-document
+spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
+  type: dfn
+    text: queue a cross-origin embedder policy CORP violation report; url: queue-a-cross-origin-embedder-policy-corp-violation-report
+    text: should request be blocked due to a bad port; url: block-bad-port
+spec: mixed-content; urlPrefix: https://w3c.github.io/webappsec-mixed-content/
+  type: dfn
+    text: should fetching request be blocked as mixed content; url: should-block-fetch
+spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
+  type: dfn
     urlPrefix: interactive-elements.html
       text: accesskey attribute command; url: using-the-accesskey-attribute-to-define-a-command-on-other-elements
       text: previously focused element; url: previously-focused-element
@@ -125,6 +143,18 @@ spec: RFC8941; urlPrefix: https://www.rfc-editor.org/rfc/rfc8941.html
     text: structured header; url: #section-1
     for: structured header
       text: token; url: name-tokens
+spec: permissions-policy; urlPrefix: https://w3c.github.io/webappsec-permissions-policy
+  type: dfn
+    text: Create a Permissions Policy for a navigable; url: algo-create-for-navigable
+    text: Create a Permissions Policy for a navigable from response; url: algo-create-from-response
+    text: Define an inherited policy for feature in container at origin; url: define-inherited-policy-in-container
+    text: default allowlist; url: policy-controlled-feature-default-allowlist
+    text: ASCII-serialized policy directive; url: serialized-policy-directive
+    text: inherited policy; url: inherited-policy
+    text: serialized permissions policy; url: serialized-permissions-policy
+    for: permissions
+      text: matches; url: matches
+      text: permissions policy; url: permissions-policy
 spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
   type: dfn
     text: directive value; url: directive-value
@@ -254,6 +284,7 @@ dl, dd {
  <dd>[=Global attributes=]</dd>
  <dd><code>[=width=]</code> — Horizontal dimension</dd>
  <dd><code>[=height=]</code> — Vertical dimension</dd>
+ <dd><code><{fencedframe/allow}></code> — [=permissions/Permissions policy=] to be applied to the <{fencedframe}>'s contents</dd>
  <dt>[=Accessibility considerations=]:</dt>
  <dd><p class=XXX>TODO</p></dd>
  <dt>[=DOM interface=]:</dt>
@@ -266,6 +297,7 @@ interface HTMLFencedFrameElement : HTMLElement {
   [CEReactions] attribute FencedFrameConfig? config;
   [CEReactions] attribute DOMString width;
   [CEReactions] attribute DOMString height;
+  [CEReactions] attribute DOMString allow;
 };
 </xmp>
 </dd>
@@ -340,6 +372,14 @@ The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter
   1. <span class=XXX>TODO</span>
 </div>
 
+The <dfn element-attr for=fencedframe>allow</dfn> attribute, when specified, determines the
+[=container policy=] that will be used when the [=Document/permissions policy=] for a {{Document}}
+in the <{fencedframe}>'s [=fenced navigable container/fenced navigable=] is initialized. Its value
+must be a [=serialized permissions policy=]. [[!PERMISSIONS-POLICY]]
+
+The IDL attribute <dfn attribute for=HTMLFencedFrameElement>allow</dfn> must [=reflect=] the
+respective content attribute of the same name.
+
 <h3 id=dimension-attributes>Dimension attributes</h3>
 
 This section details monkeypatches to [[!HTML]]'s <a
@@ -1010,8 +1050,6 @@ Note: This is because we need to ensure that we do not leak <var ignore>creator<
 document's referrer|referrer=], [=Document/origin=], [=creator base url=], [=Document/policy
 container=], across the fenced frame boundary.
 
-Issue: Ensure we are doing the right thing for [=Document/permissions policy=].
-
 <h3 id=nested-traversables>Nested traversables</h3>
 
 <h4 id=nested-traversables-intro>Introduction</h4>
@@ -1717,3 +1755,160 @@ specification is printed below:
   /fenced-frame/cspee.https.html
   /fenced-frame/embedder-csp-not-propagate.https.html
 </wpt>
+
+<h3 id=permissions-policy-changes>Permissions Policies</h3>
+
+Permissions are granted to {{Document}} inside of <{fencedframe}>s through the
+{{FencedFrameConfig}} object and its associated internal [=fencedframeconfig/config=], which defines
+the permissions [=fenced frame config/effective permissions|required=] for a <{fencedframe}>
+to navigate successfully. Specifically, a {{Document}} inside of a <{fencedframe}> can only load if
+it has opted into all of the [=fenced frame config/effective permissions=].
+
+<h4 id=permissions-policy-patches>Algorithm patches</h4>
+
+<div algorithm=create-permissions-policy>
+  Rewrite step 1 of the [=Create a Permissions Policy for a navigable=] algorithm to read:
+
+  1. [=Assert=]: if not null, <var ignore>container</var> is either a [=navigable container=] or a
+     [=fenced navigable container=].
+</div>
+
+<div algorithm=create-fenced-permissions-policy>
+  Create a new algorithm called <dfn>Create a Permissions Policy for a fenced navigable</dfn> in
+  [[!PERMISSIONS-POLICY]].
+
+  Given null or an element (|container|), an [=origin=] (<var ignore>origin</var>), and an optional
+  [=fencedframetype/exhaustive set of permissions=] (|effective permissions|), this algorithm
+  returns a new [=Document/permissions policy=].
+
+  1. [=Assert=]: if not null, |container| is a [=fenced navigable container=].
+
+  2. Let |inherited policy| be a new [=ordered map=].
+
+  4. If |effective permissions| is given, then [=list/For each=] |feature| |effective permissions|,
+     set |inherited policy|[|feature|] to "`Enabled`".
+
+     Otherwise, set |inherited policy|[|feature|] to "`Disabled`".
+
+  5. Let |policy| be a new [=permissions/Permissions policy=], with inherited policy |inherited
+     policy| and declared policy a new [=ordered map=].
+
+  6. Return |policy|.
+
+  Note: It is safe to naively set the frame's permissions to the |effective permissions|. By this
+  point, the [=Should navigation response to navigation request be blocked by Permissions Policy?=]
+  check will have verified that the fenced frame is not trying to get extra permissions that the
+  embedder didn't delegate.
+
+</div>
+
+<div algorithm=allow-attribute-fenced-frame>
+  Rename the <a href=https://w3c.github.io/webappsec-permissions-policy/#iframe-allow-attribute>The
+  `allow` attribute of the `iframe` element</a> section to "The `allow` attribute of the `iframe`
+  and `fencedframe` element", and rewrite the section to read:
+
+  <{iframe}> and <{fencedframe}> elements have an respective `allow` attributes (<{iframe}>:
+  <{iframe/allow}>; <{fencedframe}>: <{fencedframe/allow}>), which contain an [=ASCII-serialized
+  policy directive=].
+
+  The allowlist for the features named in the attribute may be empty; in that case, the default
+  value for the allowlist is "`src`", which represents the origin of the URL in the iframe’s src
+  attribute, or the fencedframe's [=fenced frame config=].
+
+  When not empty, the <{iframe}>'s <{iframe/allow}> or <{fencedframe}>'s <{fencedframe/allow}>
+  attribute will result in adding an allowlist for each recognized feature to the iframe element’s
+  content navigable's container policy or the fencedframe element's [=fenced navigable container/
+  fenced navigable=]'s container policy, when it is constructed.
+</div>
+
+<div algorithm=create-permissions-policy-response>
+  Modify the definition of [=Create a Permissions Policy for a navigable from response=] to read:
+
+  Given null, a [=navigable container=], or a [=fenced navigable container=] (|container|), an
+  [=origin=] (|origin|), a [=response=] (<var ignore>response</var>), and null or an
+  [=fencedframetype/exhaustive set of permissions=] (|effective permissions|), this algorithm
+  returns a new [=Document/permissions policy=].
+
+  Modify step 1 of the algorithm to read:
+  1. If |container| is a [=fenced navigable container=], then let <var ignore>policy</var> be the
+     result of running
+     [=Create a Permissions Policy for a fenced navigable=] given |container|, |origin|, and
+     |effective permissions|.
+
+     Otherwise, let <var ignore>policy</var> be the result of running [=Create a Permissions Policy
+     for a navigable=] given |container| and |origin|.
+</div>
+
+<div algorithm=shared-document-creation-changes>
+  Modify the [=create and initialize a Document object=] algorithm. Rewrite step 3 to read:
+
+  3. Let <var ignore>permissionsPolicy</var> be the result of [=Create a Permissions Policy for a
+     navigable from response|creating a permissions policy from a response=] given
+     |navigationParams|'s [=navigable=]'s [=navigable container|container=], |navigationParams|'s
+     [=navigation params/origin=], |navigationParams|'s [=navigation params/response=], and
+     |navigationParams|'s [=navigable=]'s [=fenced frame config instance=]'s [=fenced frame config
+     instance/effective permissions=].
+</div>
+
+<div algorithm=new-browsing-context-changes>
+  Modify the [=create a new browsing context and document=] algorithm. Rewrite step 7 to read:
+
+  7. If <var ignore>navigationParams</var>'s [=navigable=]'s [=navigable/traversable navigable=] is
+     a [=fenced navigable container/fenced navigable=], let |permissionsPolicy| be the result of
+     [=Create a Permissions Policy for a fenced navigable|creating a permissions policy for a fenced
+     navigable=] given |embedder|, |origin|, and null.
+
+     Otherwise, let |permissionsPolicy| be the result of [=Create a Permissions Policy for a
+     navigable|creating a permissions policy=] given |embedder| and
+     |origin|.
+
+  Note: This change is made in addition to the changes to [=create a new browsing context and
+  document=] outlined in [[#creating-browsing-contexts-patch]].
+</div>
+
+<div algorithm=attempt-populate-history-patches>
+  Modify [[HTML]]'s [=attempt to populate the history entry's document=] algorithm. Add a step
+  before the step inside the [=queue a task|queued task=] starting with "If
+  |failure| is true, then:" that reads:
+
+  8. Otherwise, if the result of [=Should navigation response to navigation request be blocked by
+    Permissions Policy?=] given <var ignore>navigationParams</var>'s [=response=], and <var
+    ignore>navigable</var> is "`Blocked`", then set |failure| to true.
+</div>
+
+<div algorithm=permissions-policy-block-request>
+  Create a new algorithm called <dfn>Should navigation response to navigation request be blocked by
+  Permissions Policy?</dfn> in [[!HTML]].
+
+  Given a [=response=] (|response|) and a [=navigable=] (|navigable|), this algorithm returns
+  `Blocked` or `Allowed`:
+
+  1. If |navigable| is not a [=fenced navigable container/fenced navigable=], then return `Allowed`.
+
+  2. Let |origin| be |response|'s [=response/url=]'s [=url/origin=].
+
+  3. Let |effective permissions| be the |navigable|'s [=navigable/fenced frame config instance=]'s
+     [=fenced frame config instance/effective permissions=].
+
+  4. Let |permissions policy| be the result of [=Create a Permissions Policy for a navigable|
+     creating a permissions policy=] given |navigable|'s [=navigable container|container=] and
+     |origin|.
+
+  5. Let |inherited policy| be |permissions policy|'s [=inherited policy=].
+
+  6. [=list/For each=] |feature| of |effective permissions|:
+
+    1. If |inherited policy|[|feature|] is "Disabled", return "`Blocked`".
+
+    Issue: This deviates from the implementation. By relying on creating a permissions policy, we
+    are squashing information about why a feature is enabled/disabled. We don't know if it's enabled
+    by default or explicitly enabled, which the implementation relies on to make its decision about
+    whether to allow or disallow a fenced frame load.
+
+  7. Return "`Allowed`."
+
+  Note: After this point, the [=Create a Permissions Policy for a fenced navigable=] algorithm will
+  give the frame the permissions listed in |effective permissions|. This is done to have the
+  list of allowed permissions be the tightest union between the container policy and the permissions
+  needed to load the fenced frame.
+</div>